-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate Fails to create when associated to a Key Vault #3732
Comments
Hi @TomMakes sorry you're having some challenges with this resource. I've done a little digging myself and can't see anything obviously wrong with your setup. I've not been able to run the sample code as it depends on a few external pieces to be implemented (env, consts and the actual cert binary). If the creation via the CLI is working, I'd suggest using that to export an ARM template and inspect how that is structured. This might give an indication as to the values the Azure service is happy with. Another option to try out is using a different version of the resource. These are located as sub-packages within the azure-native SDK e.g. |
Hi @danielrbradley I looked at the ARM template, and it doesn't look too useful. I tried using v20240401_native_web and it gave me the same error, so sadly that didn't fix anything. Here is the ARM template output {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vaults_test_key_vault_3_name": {
"defaultValue": "test-key-vault-3",
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2024-04-01-preview",
"name": "[parameters('vaults_test_key_vault_3_name')]",
"location": "centralus",
"properties": {
"sku": {
"family": "A",
"name": "standard"
},
"tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
"accessPolicies": [
{
"tenantId": "35a7d303-0fa8-4387-a3ba-9416897264e1",
"objectId": "958d1200-4a93-4cfd-8019-b61847252a9b",
"permissions": {
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"getissuers",
"listissuers",
"recover",
"purge",
"backup",
"restore"
],
"keys": [
"get",
"list",
"update",
"create",
"delete",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
]
}
}
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true,
"enableSoftDelete": false,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": false,
"vaultUri": "[concat('https://', parameters('vaults_test_key_vault_3_name'), '.vault.azure.net/')]",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
},
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2024-04-01-preview",
"name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
"location": "centralus",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
],
"properties": {
"attributes": {
"enabled": true,
"nbf": 1733255158,
"exp": 2048615158
}
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2024-04-01-preview",
"name": "[concat(parameters('vaults_test_key_vault_3_name'), '/test-cert-2')]",
"location": "centralus",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_test_key_vault_3_name'))]"
],
"properties": {
"contentType": "application/x-pkcs12",
"attributes": {
"enabled": true,
"nbf": 1733255158,
"exp": 2048615158
}
}
}
]
} |
Hi @TomMakes, could it be missing permissions to the Vault? The docs here say
and I don't see such an access policy for your Vault. Although, admittedly, the "invalid value" error would be strange in this cause. If that still doesn't help, could you run |
Hi @thomas11, I've been poking around these past few days and tried a few things:
|
Thank you for the log. We can see that the KV id is Unfortunately, it's hard for me to tell what Azure finds wrong here given the unhelpful error message. However, looking around the web a bit, I get the impression that the Microsoft.Web/certificates API is only intended to add existing certificates to a web app. I.e., add the cert with the given |
Upon further investigation my team decided it was best to try another route, going with the Azure classic provider ('@pulumi/azure'). We were able to get the key vault and certificate created in the key vault using this code. Pulumi.yaml
index.ts import * as azure from '@pulumi/azure';
import * as std from "@pulumi/std";
import { CONSTS } from '../azure/constant_values';
// Load environment variables
// eslint-disable-next-line @typescript-eslint/no-var-requires
const dotenv = require('dotenv');
dotenv.config({ path: '../.env' });
const current = azure.core.getClientConfig({});
const buildTestInfrastructure = async () => {
const RESOURCE_GROUP_NAME = 'demo-test-rg';
const AZURE_TENANT_ID = process.env.AZURE_TENANT_ID as string;
const keyvault_name = 'test-key-vault-7';
const keyvault = new azure.keyvault.KeyVault(keyvault_name, {
name: keyvault_name,
location: CONSTS.LOCATION.CENTRAL_US_LOWER,
resourceGroupName: RESOURCE_GROUP_NAME,
enabledForDiskEncryption: true,
tenantId: current.then(current => current.tenantId),
softDeleteRetentionDays: 7,
purgeProtectionEnabled: false,
skuName: "standard",
accessPolicies: [
{
objectId: '958d1200-4a93-4cfd-8019-b61847252a9b',
certificatePermissions: ['Get', 'List', 'Import', 'Delete', 'Purge'],
secretPermissions: ['Set', 'Get', 'List', 'Delete', 'Purge'],
tenantId: AZURE_TENANT_ID
},
]
});
const ssl_cert_name = 'test-cert';
const ssl_cert_password = process.env.SSL_CERT_PASSWORD;
const ssl_cert_filename = `../certs/2025/test_demo_io.pfx`;
const exampleCertificate = new azure.keyvault.Certificate("example-cert", {
name: ssl_cert_name,
keyVaultId: keyvault.id,
certificate: {
contents: std.filebase64({
input: ssl_cert_filename,
}).then(invoke => invoke.result),
password: ssl_cert_password,
},
});
};
buildTestInfrastructure().then(async () => {
console.log('done');
});
|
Hi @TomMakes, glad you're unblocked for now. I think I see where the problem comes from: in azure-native, you're using the const certificateSecret = new azure.keyvault.Secret("myCertificate", {
vaultName: keyVault.name,
resourceGroupName: rg.name,
properties: {
value: "<base64-encoded-certificate>",
contentType: "application/x-pkcs12", // or "application/x-pem-file" depending on your certificate format
},
}); |
Hi @thomas11 thanks for the reply, my only issue with this way of creating a certificate is that I can't provide a password to use to decrypt the certificate. |
You could decrypt it locally in your Pulumi program. You can obtain the password from Pulumi config or any source really, read the cert, and put the decrypted value into the |
What happened?
I am trying to create a key vault and certificate in an existing resource group.
The key vault is able to be created, but the certificate fails with an error,
error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The parameter Properties.KeyVaultId has an invalid value." Details=[{"Message":"The parameter Properties.KeyVaultId has an invalid value."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51008","Message":"The parameter Properties.KeyVaultId has an invalid value.","MessageTemplate":"The parameter {0} has an invalid value.","Parameters":["Properties.KeyVaultId"]}}]
Things I've tried:
Example
Cert creation script
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/C=US/ST=MA/L=Boston/O=TestOrg/OU=devops/CN=demo.test.io" openssl pkcs12 -export -in cert.pem -inkey key.pem -out test-cert-2.pfx
Pulumi file
Output of
pulumi about
CLI
Version 3.134.1
Go Version go1.23.1
Go Compiler gc
Plugins
KIND NAME VERSION
resource azure 6.0.0
resource azure-native 2.65.1
resource azuread 5.53.4
language nodejs unknown
resource random 4.13.2
Host
OS Microsoft Windows 11 Pro
Version 10.0.22631 Build 22631
Arch x86_64
This project is written in nodejs: executable='C:\Program Files\nodejs\node.exe' version='v18.10.0'
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: